Skip to content

Commit

Permalink
Merge pull request de4dot#111 from angelsl/master
Browse files Browse the repository at this point in the history 
CryptoObfuscator: Detect if decrypter should skip before reading flag or vice versa
  • Loading branch information
@wtfsck
wtfsck committed Aug 29, 2015
2 parents 74408ae + 1338140 commit 21318d2
Showing 1 changed file with 27 additions and 14 deletions.
41 changes: 27 additions & 14 deletions de4dot.code/deobfuscators/CryptoObfuscator/ResourceDecrypter.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ class ResourceDecrypter {
byte bitwiseNotEncryptedFlag;
FrameworkType frameworkType;
bool flipFlagsBits;
bool skipBeforeFlag;
int skipBytes;

public ResourceDecrypter(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator) {
Expand Down Expand Up @@ -179,21 +180,22 @@ void InitializeHeaderInfo(ISimpleDeobfuscator simpleDeobfuscator) {
bitwiseNotEncryptedFlag = 4;
}

static bool CheckFlipBits(MethodDef method) {
int nots = 0;
static bool CheckFlipBits(MethodDef method, out int index) {
int nots = 0, i;
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
index = -1;
for (i = 0; i < instrs.Count - 1; i++) {
var ldloc = instrs[i];
if (!ldloc.IsLdloc())
continue;
var local = ldloc.GetLocal(method.Body.Variables);
if (local == null || local.Type.GetElementType().GetPrimitiveSize() < 0)
continue;

if (instrs[i + 1].OpCode.Code == Code.Not)
if (instrs[i + 1].OpCode.Code == Code.Not) {
nots++;
index = i + 1;
}
}

return (nots & 1) == 1;
}

Expand Down Expand Up @@ -223,8 +225,10 @@ bool UpdateFlags(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator) {
constants.Add(flagValue);
}

flipFlagsBits = CheckFlipBits(method);
skipBytes = GetHeaderSkipBytes(method);
int notIndex, skipIndex;
flipFlagsBits = CheckFlipBits(method, out notIndex);
skipBytes = GetHeaderSkipBytes(method, out skipIndex);
skipBeforeFlag = skipIndex < notIndex;

switch (frameworkType) {
case FrameworkType.Desktop:
Expand Down Expand Up @@ -259,7 +263,7 @@ bool UpdateFlags(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator) {
return false;
}

static int GetHeaderSkipBytes(MethodDef method) {
static int GetHeaderSkipBytes(MethodDef method, out int index) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++) {
var ldci4 = instrs[i];
Expand All @@ -271,8 +275,10 @@ static int GetHeaderSkipBytes(MethodDef method) {
var blt = instrs[i + 1];
if (blt.OpCode.Code != Code.Blt && blt.OpCode.Code != Code.Blt_S && blt.OpCode.Code != Code.Clt)
continue;
index = i;
return loopCount - 1;
}
index = 0;
return 0;
}

Expand Down Expand Up @@ -312,15 +318,22 @@ static IEnumerable<MethodDef> GetDecrypterMethods(TypeDef type) {
}

public byte[] Decrypt(Stream resourceStream) {
byte flags = (byte)resourceStream.ReadByte();
if (flipFlagsBits)
flags = (byte)~flags;
Stream sourceStream = resourceStream;
int sourceStreamOffset = 1;
bool didSomething = false;

sourceStream.Position += skipBytes;
sourceStreamOffset += skipBytes;
if (skipBeforeFlag)
{
sourceStream.Position += skipBytes;
sourceStreamOffset += skipBytes;
}
byte flags = (byte)sourceStream.ReadByte();
if (flipFlagsBits)
flags = (byte)~flags;
if (!skipBeforeFlag) {
sourceStream.Position += skipBytes;
sourceStreamOffset += skipBytes;
}

byte allFlags = (byte)(desEncryptedFlag | deflatedFlag | bitwiseNotEncryptedFlag);
if ((flags & ~allFlags) != 0)
Expand Down

0 comments on commit 21318d2

Please sign in to comment.